Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
However, with the debut of HTML 5, we're finding that video is being offloaded to and open codecs are being integrated into browsers. Further, HTML 5's media capabilities are making flash cumbersome. Not to resurrect a dead thread, but Microsoft's Silverlight applied a lot of lessons from Flash: BlueHat v9: RIA Security: Real-World Lessons from Flash and Silverlight, http://technet.microsoft.com/en-us/security/video/ee834904. At least some folks are learning from Adobe's mistakes. Jeff On Sun, Dec 19, 2010 at 7:56 PM, Victor Rigo wrote: > Concurred. No file format is as obnoxious as SWF. > > However, with the debut of HTML 5, we're finding that video is being > offloaded to and open codecs are being integrated into browsers. > Further, HTML 5's media capabilities are making flash cumbersome. > > Try disabling flash extension on Firefox and enjoy real internet. > > Victor Rigo, CISSP > Independent Computer Security Consultant > Buenos Aires, AR > +5411-4316-1901 > > --- On *Sun, 12/19/10, Christian Sciberras * wrote: > > > From: Christian Sciberras > Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection > again! > To: "Marsh Ray" > Cc: "Victor Rigo" , > full-disclosure@lists.grok.org.uk > Date: Sunday, December 19, 2010, 9:25 PM > > > "Personally, I kind of like Flash. It gives me a single kill switch for > 90% of the useless blinking crap and popups on the internet. Flash is a > really appropriate name for exactly what I don't want to see on a web > page. I hope it remains the platform of choice for those who develop > such things." - Marsh Ray > > I'll keep using that quote till I die... > > > > > On Sun, Dec 19, 2010 at 9:32 PM, Marsh Ray > http://mc/compose?to=ma...@extendedsubset.com> > > wrote: > > On 12/18/2010 05:30 PM, Victor Rigo wrote: > > Let's see, flash is: > > > > - Cross-platform > > - Cross-architecture > > - Has it's own programming language > > - Is embedded on websites > > - Access to javascript to popup, local caches, etc. > > Not on my machine? > > > It's not ineptness, it's what you get when you right software that can > > actually do stuff. > > Adobe comes from a time when you could write PC software without caring > about security. Yeah, it was a heck of a lot easier to write just about > anything back then because it was well and proper that anything could do > anything. > > Nowdays, the first questions after "hey our software could do this" must > be "but should it do that? What else could someone leverage that new > capability to do? How does it combine with every other feature in our > app or even on the whole platform? What if somebody does it repeatedly > in a tight loop? With pathological inputs?" and so on. These questions > take a long time to answer. > > So if a vendor is known for "letting app developers do more stuff" and > not also known for "letting users control what stuff gets done on their > own machines" then they are laggards, not leaders, in my view. > > > If Java applets were still the hip thing, you'd see the same thing about > > that. > > There's undoubtedly some truth to that. But at the same time, it doesn't > seem like a useful line of reasoning: > > * It's still not an argument for using Flash. > > * That Java plugins have had chronic security bugs doesn't mean that > Flash doesn't suck too. > > * You seem to imply that you don't think that Adobe is likely to secure > Flash any time soon. You're not saying "Adobe will secure Flash in the > next patch and then it will be great." But you listed all the great > stuff it does, so I have to think you would have said something like > that if you believed it. You may be making Flash look worse than it is. > > * It's basically an "appeal to futility" argument: no one could make a > development platform and browser plugin that is significantly more > secure (or does a better job of managing the security vs. "doing stuff" > trade off) so therefore we should accept the status quo. That's why it's > not useful: it gives no guidance on directions in which to improve. > > Personally, I kind of like Flash. It gives me a single kill switch for > 90% of the useless blinking crap and popups on the internet. Flash is a > really appropriate name for exactly what I don't want to see on a web > page. I hope it remains the platform of choice for those who develop > such things. > > - Marsh > > __
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
On Mon, 20 Dec 2010, Marsh Ray wrote: > OK, so if sandboxing works, then why not just let devs build x86/x64 > code in the first place? In the same category as Native Client or ActiveX. And get rid of the only good feature (or perhaps one of the few good features) of Flash (its ability to present the same content on various OSes and CPU architectures)? > Remember chapter 1 of the textbook when it said "The first rule of > security is never try to retrofit security, _ever_!!" and underlined it > three times? I guess there must be a complementary rule in chapter 1 of software project management textbooks reading "Do not ever take security into consideration when the system is being developed. Security is supposed to be an afterthought (and additional expense for the customer)! Always!" In bright red blinking (*) 48pt letters. :( (*) An amazing feat in a printed book but the wonders of modern technology will make it possible soon. -- Pavel Kankovsky aka Peak / Jeremiah 9:21\ "For death is come up into our MS Windows(tm)..." \ 21st century edition / ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
On Sat, Dec 18, 2010 at 3:30 PM, Victor Rigo wrote: > Let's see, flash is: > > - Cross-platform > - Cross-architecture > - Has it's own programming language > - Is embedded on websites > - Access to javascript to popup, local caches, etc. > > It's not ineptness, it's what you get when you right software that can > actually do stuff. > > If Java applets were still the hip thing, you'd see the same thing about > that. > > Victor Rigo, CISSP This insight reminds me, I really must get around to going up for my CISSP. > Computer Security Consultant > +5411-4316-1900 > Buenos Aires, Argentina > > --- On *Sat, 12/18/10, Jeffrey Walton * wrote: > > > From: Jeffrey Walton > Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection > again! > To: "Maciej Gojny" > Cc: full-disclosure@lists.grok.org.uk > Date: Saturday, December 18, 2010, 5:53 PM > > > On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny > http://mc/compose?to=v...@ariko-security.com>> > wrote: > > hello full disclosure! > > > > After six months from the first contact with Adobe security team, > important > > adobe.com subdomain is still vulnerable to SQL injection attacks. We > hope > > that this time, serious people will try to solve the problem. > There's a reason Adobe is the most attacked software [1,2], and its > probably because they write the most vulnerable software (or > adversaries are looking for a challenge, which seems less intuitive > and highly unlikely to me). > > It appears "insecurity" is an enterprise wide practice, and not just > limited to their software. > > Jeff > > [1] "Adobe surpasses Microsoft as favorite hacker’s target" (Jul 2009) > http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ > > [2] "Adobe predicted as top 2010 hacker target" (Dec 2009) > http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
On 12/19/2010 09:32 PM, John Jester wrote: > > Sandboxing the plug-in from your system fixes it I believe. It's so > futile sandboxing it was key. OK, so if sandboxing works, then why not just let devs build x86/x64 code in the first place? In the same category as Native Client or ActiveX. Maybe because sandboxing isn't going to work so well? > And security, hell a multi-billion dollar company can't keep it from > gobbling up 100% cpu in some instances. Huge note: over the years has > been massive improvement in both performance and security. I wonder how much of that is the game or app itself in a tight loop. CPU is, after all, there to be used. > It's not hopeless or futile, but come on, it's like the titanic. Remember chapter 1 of the textbook when it said "The first rule of security is never try to retrofit security, _ever_!!" and underlined it three times? Well see back in 1996 there were these really popular animation and multimedia CD-ROM authoring packages and... the rest is history. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
Regarding appeal to futility. Flash has it's own programming language in it. On every OS. On i686, amd64 and now ARM. It stores your data in a local db. It's on every web page. How could you ask for more attack vectors? Sandboxing the plug-in from your system fixes it I believe. It's so futile sandboxing it was key. And security, hell a multi-billion dollar company can't keep it from gobbling up 100% cpu in some instances. Huge note: over the years has been massive improvement in both performance and security. It's not hopeless or futile, but come on, it's like the titanic. -Original Message- From: Marsh Ray To: Victor Rigo Cc: full-disclosure@lists.grok.org.uk Sent: Sun, Dec 19, 2010 8:32 pm Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! On 12/18/2010 05:30 PM, Victor Rigo wrote: > Let's see, flash is: > > - Cross-platform > - Cross-architecture > - Has it's own programming language > - Is embedded on websites > - Access to javascript to popup, local caches, etc. Not on my machine? > It's not ineptness, it's what you get when you right software that can > actually do stuff. Adobe comes from a time when you could write PC software without caring about security. Yeah, it was a heck of a lot easier to write just about anything back then because it was well and proper that anything could do anything. Nowdays, the first questions after "hey our software could do this" must be "but should it do that? What else could someone leverage that new capability to do? How does it combine with every other feature in our app or even on the whole platform? What if somebody does it repeatedly in a tight loop? With pathological inputs?" and so on. These questions take a long time to answer. So if a vendor is known for "letting app developers do more stuff" and not also known for "letting users control what stuff gets done on their own machines" then they are laggards, not leaders, in my view. > If Java applets were still the hip thing, you'd see the same thing about > that. There's undoubtedly some truth to that. But at the same time, it doesn't seem like a useful line of reasoning: * It's still not an argument for using Flash. * That Java plugins have had chronic security bugs doesn't mean that Flash doesn't suck too. * You seem to imply that you don't think that Adobe is likely to secure Flash any time soon. You're not saying "Adobe will secure Flash in the next patch and then it will be great." But you listed all the great stuff it does, so I have to think you would have said something like that if you believed it. You may be making Flash look worse than it is. * It's basically an "appeal to futility" argument: no one could make a development platform and browser plugin that is significantly more secure (or does a better job of managing the security vs. "doing stuff" trade off) so therefore we should accept the status quo. That's why it's not useful: it gives no guidance on directions in which to improve. Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
No real clue how Adobe will counter Flash 5. Perhaps they can use it as an opportunity to trim the beast down. -Original Message- From: Victor Rigo To: full-disclosure@lists.grok.org.uk Sent: Mon, Dec 20, 2010 12:56 am Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! Concurred. No file format is as obnoxious as SWF. However, with the debut of HTML 5, we're finding that video is being offloaded to and open codecs are being integrated into browsers. Further, HTML 5's media capabilities are making flash cumbersome. Try disabling flash extension on Firefox and enjoy real internet. Victor Rigo, CISSP Independent Computer Security Consultant Buenos Aires, AR +5411-4316-1901 --- On Sun, 12/19/10, Christian Sciberras wrote: From: Christian Sciberras Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! To: "Marsh Ray" Cc: "Victor Rigo" , full-disclosure@lists.grok.org.uk Date: Sunday, December 19, 2010, 9:25 PM "Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things." - Marsh Ray I'll keep using that quote till I die... On Sun, Dec 19, 2010 at 9:32 PM, Marsh Ray wrote: On 12/18/2010 05:30 PM, Victor Rigo wrote: > Let's see, flash is: > > - Cross-platform > - Cross-architecture > - Has it's own programming language > - Is embedded on websites > - Access to javascript to popup, local caches, etc. Not on my machine? > It's not ineptness, it's what you get when you right software that can > actually do stuff. Adobe comes from a time when you could write PC software without caring about security. Yeah, it was a heck of a lot easier to write just about anything back then because it was well and proper that anything could do anything. Nowdays, the first questions after "hey our software could do this" must be "but should it do that? What else could someone leverage that new capability to do? How does it combine with every other feature in our app or even on the whole platform? What if somebody does it repeatedly in a tight loop? With pathological inputs?" and so on. These questions take a long time to answer. So if a vendor is known for "letting app developers do more stuff" and not also known for "letting users control what stuff gets done on their own machines" then they are laggards, not leaders, in my view. > If Java applets were still the hip thing, you'd see the same thing about > that. There's undoubtedly some truth to that. But at the same time, it doesn't seem like a useful line of reasoning: * It's still not an argument for using Flash. * That Java plugins have had chronic security bugs doesn't mean that Flash doesn't suck too. * You seem to imply that you don't think that Adobe is likely to secure Flash any time soon. You're not saying "Adobe will secure Flash in the next patch and then it will be great." But you listed all the great stuff it does, so I have to think you would have said something like that if you believed it. You may be making Flash look worse than it is. * It's basically an "appeal to futility" argument: no one could make a development platform and browser plugin that is significantly more secure (or does a better job of managing the security vs. "doing stuff" trade off) so therefore we should accept the status quo. That's why it's not useful: it gives no guidance on directions in which to improve. Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ = ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
I think the number of vulnerabilities (According to CVE data by NVD) related to Flash Player and Adobe products should give an idea about what's going on : Number of CVE entries related to any Adobe product : 2006 : 31 2007 : 35 2008 : 64 2009 : 95 2010 : 207 More details : http://www.cvedetails.com/vendor/53/Adobe.html Number of "Flash Player" vulnerabilities: 2006 : 5 2007 : 10 2008 : 21 2009 : 20 2010 : 60 More details : http://www.cvedetails.com/product/6761/Adobe-Flash-Player.html?vendor_id=53 Regards Serkan Özkan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
Concurred. No file format is as obnoxious as SWF. However, with the debut of HTML 5, we're finding that video is being offloaded to and open codecs are being integrated into browsers. Further, HTML 5's media capabilities are making flash cumbersome. Try disabling flash extension on Firefox and enjoy real internet. Victor Rigo, CISSP Independent Computer Security Consultant Buenos Aires, AR +5411-4316-1901 --- On Sun, 12/19/10, Christian Sciberras wrote: From: Christian Sciberras Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! To: "Marsh Ray" Cc: "Victor Rigo" , full-disclosure@lists.grok.org.uk Date: Sunday, December 19, 2010, 9:25 PM "Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things." - Marsh Ray I'll keep using that quote till I die... On Sun, Dec 19, 2010 at 9:32 PM, Marsh Ray wrote: On 12/18/2010 05:30 PM, Victor Rigo wrote: > Let's see, flash is: > > - Cross-platform > - Cross-architecture > - Has it's own programming language > - Is embedded on websites > - Access to javascript to popup, local caches, etc. Not on my machine? > It's not ineptness, it's what you get when you right software that can > actually do stuff. Adobe comes from a time when you could write PC software without caring about security. Yeah, it was a heck of a lot easier to write just about anything back then because it was well and proper that anything could do anything. Nowdays, the first questions after "hey our software could do this" must be "but should it do that? What else could someone leverage that new capability to do? How does it combine with every other feature in our app or even on the whole platform? What if somebody does it repeatedly in a tight loop? With pathological inputs?" and so on. These questions take a long time to answer. So if a vendor is known for "letting app developers do more stuff" and not also known for "letting users control what stuff gets done on their own machines" then they are laggards, not leaders, in my view. > If Java applets were still the hip thing, you'd see the same thing about > that. There's undoubtedly some truth to that. But at the same time, it doesn't seem like a useful line of reasoning: * It's still not an argument for using Flash. * That Java plugins have had chronic security bugs doesn't mean that Flash doesn't suck too. * You seem to imply that you don't think that Adobe is likely to secure Flash any time soon. You're not saying "Adobe will secure Flash in the next patch and then it will be great." But you listed all the great stuff it does, so I have to think you would have said something like that if you believed it. You may be making Flash look worse than it is. * It's basically an "appeal to futility" argument: no one could make a development platform and browser plugin that is significantly more secure (or does a better job of managing the security vs. "doing stuff" trade off) so therefore we should accept the status quo. That's why it's not useful: it gives no guidance on directions in which to improve. Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
"Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things." - Marsh Ray I'll keep using that quote till I die... On Sun, Dec 19, 2010 at 9:32 PM, Marsh Ray wrote: > On 12/18/2010 05:30 PM, Victor Rigo wrote: > > Let's see, flash is: > > > > - Cross-platform > > - Cross-architecture > > - Has it's own programming language > > - Is embedded on websites > > - Access to javascript to popup, local caches, etc. > > Not on my machine? > > > It's not ineptness, it's what you get when you right software that can > > actually do stuff. > > Adobe comes from a time when you could write PC software without caring > about security. Yeah, it was a heck of a lot easier to write just about > anything back then because it was well and proper that anything could do > anything. > > Nowdays, the first questions after "hey our software could do this" must > be "but should it do that? What else could someone leverage that new > capability to do? How does it combine with every other feature in our > app or even on the whole platform? What if somebody does it repeatedly > in a tight loop? With pathological inputs?" and so on. These questions > take a long time to answer. > > So if a vendor is known for "letting app developers do more stuff" and > not also known for "letting users control what stuff gets done on their > own machines" then they are laggards, not leaders, in my view. > > > If Java applets were still the hip thing, you'd see the same thing about > > that. > > There's undoubtedly some truth to that. But at the same time, it doesn't > seem like a useful line of reasoning: > > * It's still not an argument for using Flash. > > * That Java plugins have had chronic security bugs doesn't mean that > Flash doesn't suck too. > > * You seem to imply that you don't think that Adobe is likely to secure > Flash any time soon. You're not saying "Adobe will secure Flash in the > next patch and then it will be great." But you listed all the great > stuff it does, so I have to think you would have said something like > that if you believed it. You may be making Flash look worse than it is. > > * It's basically an "appeal to futility" argument: no one could make a > development platform and browser plugin that is significantly more > secure (or does a better job of managing the security vs. "doing stuff" > trade off) so therefore we should accept the status quo. That's why it's > not useful: it gives no guidance on directions in which to improve. > > Personally, I kind of like Flash. It gives me a single kill switch for > 90% of the useless blinking crap and popups on the internet. Flash is a > really appropriate name for exactly what I don't want to see on a web > page. I hope it remains the platform of choice for those who develop > such things. > > - Marsh > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
On 12/18/2010 05:30 PM, Victor Rigo wrote: > Let's see, flash is: > > - Cross-platform > - Cross-architecture > - Has it's own programming language > - Is embedded on websites > - Access to javascript to popup, local caches, etc. Not on my machine? > It's not ineptness, it's what you get when you right software that can > actually do stuff. Adobe comes from a time when you could write PC software without caring about security. Yeah, it was a heck of a lot easier to write just about anything back then because it was well and proper that anything could do anything. Nowdays, the first questions after "hey our software could do this" must be "but should it do that? What else could someone leverage that new capability to do? How does it combine with every other feature in our app or even on the whole platform? What if somebody does it repeatedly in a tight loop? With pathological inputs?" and so on. These questions take a long time to answer. So if a vendor is known for "letting app developers do more stuff" and not also known for "letting users control what stuff gets done on their own machines" then they are laggards, not leaders, in my view. > If Java applets were still the hip thing, you'd see the same thing about > that. There's undoubtedly some truth to that. But at the same time, it doesn't seem like a useful line of reasoning: * It's still not an argument for using Flash. * That Java plugins have had chronic security bugs doesn't mean that Flash doesn't suck too. * You seem to imply that you don't think that Adobe is likely to secure Flash any time soon. You're not saying "Adobe will secure Flash in the next patch and then it will be great." But you listed all the great stuff it does, so I have to think you would have said something like that if you believed it. You may be making Flash look worse than it is. * It's basically an "appeal to futility" argument: no one could make a development platform and browser plugin that is significantly more secure (or does a better job of managing the security vs. "doing stuff" trade off) so therefore we should accept the status quo. That's why it's not useful: it gives no guidance on directions in which to improve. Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
On Sun, Dec 19, 2010 at 3:04 PM, Pavel Kankovsky wrote: > On Sat, 18 Dec 2010, Victor Rigo wrote: > >> It's not ineptness, it's what you get when you right software that can >> actually do stuff. > > The bad news is security's made of the stuff one CAN'T do. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
On Sat, 18 Dec 2010, Victor Rigo wrote: > It's not ineptness, it's what you get when you right software that can > actually do stuff. The bad news is security's made of the stuff one CAN'T do. -- Pavel Kankovsky aka Peak / Jeremiah 9:21\ "For death is come up into our MS Windows(tm)..." \ 21st century edition / ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
On Sat, Dec 18, 2010 at 6:30 PM, Victor Rigo wrote: > Let's see, flash is: > > - Cross-platform > - Cross-architecture > - Has it's own programming language > - Is embedded on websites > - Access to javascript to popup, local caches, etc. > * Insecure (Adobe's implementation) > It's not ineptness, it's what you get when you right software that can > actually do stuff. > For completeness, I did not claim they are inept - only insecure. Insecurity in the absence of ineptness is probably more egregious - they should know better. It will be interesting to see if HTML 5 has as many security problems. I would love to see an Adobe implementation of HTML 5 go head to head with Chrome or IE. Its too bad (or perhaps we are fortunate) that Adobe does not make browsers. Jeff > --- On *Sat, 12/18/10, Jeffrey Walton * wrote: > > > From: Jeffrey Walton > Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection > again! > To: "Maciej Gojny" > Cc: full-disclosure@lists.grok.org.uk > Date: Saturday, December 18, 2010, 5:53 PM > > On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny > http://mc/compose?to=v...@ariko-security.com>> > wrote: > > hello full disclosure! > > > > After six months from the first contact with Adobe security team, > important > > adobe.com subdomain is still vulnerable to SQL injection attacks. We > hope > > that this time, serious people will try to solve the problem. > There's a reason Adobe is the most attacked software [1,2], and its > probably because they write the most vulnerable software (or > adversaries are looking for a challenge, which seems less intuitive > and highly unlikely to me). > > It appears "insecurity" is an enterprise wide practice, and not just > limited to their software. > > Jeff > > [1] "Adobe surpasses Microsoft as favorite hacker’s target" (Jul 2009) > http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ > > [2] "Adobe predicted as top 2010 hacker target" (Dec 2009) > http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
Yet Flashblock has 10 million downloads On Sat, Dec 18, 2010 at 8:30 PM, Victor Rigo wrote: > Let's see, flash is: > > - Cross-platform > - Cross-architecture > - Has it's own programming language > - Is embedded on websites > - Access to javascript to popup, local caches, etc. > > It's not ineptness, it's what you get when you right software that can > actually do stuff. > > If Java applets were still the hip thing, you'd see the same thing about > that. > > Victor Rigo, CISSP > Computer Security Consultant > +5411-4316-1900 > Buenos Aires, Argentina > > --- On *Sat, 12/18/10, Jeffrey Walton * wrote: > > > From: Jeffrey Walton > Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection > again! > To: "Maciej Gojny" > Cc: full-disclosure@lists.grok.org.uk > Date: Saturday, December 18, 2010, 5:53 PM > > > On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny > http://mc/compose?to=v...@ariko-security.com>> > wrote: > > hello full disclosure! > > > > After six months from the first contact with Adobe security team, > important > > adobe.com subdomain is still vulnerable to SQL injection attacks. We > hope > > that this time, serious people will try to solve the problem. > There's a reason Adobe is the most attacked software [1,2], and its > probably because they write the most vulnerable software (or > adversaries are looking for a challenge, which seems less intuitive > and highly unlikely to me). > > It appears "insecurity" is an enterprise wide practice, and not just > limited to their software. > > Jeff > > [1] "Adobe surpasses Microsoft as favorite hacker’s target" (Jul 2009) > http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ > > [2] "Adobe predicted as top 2010 hacker target" (Dec 2009) > http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
Let's see, flash is: - Cross-platform - Cross-architecture - Has it's own programming language - Is embedded on websites - Access to javascript to popup, local caches, etc. It's not ineptness, it's what you get when you right software that can actually do stuff. If Java applets were still the hip thing, you'd see the same thing about that. Victor Rigo, CISSP Computer Security Consultant +5411-4316-1900 Buenos Aires, Argentina --- On Sat, 12/18/10, Jeffrey Walton wrote: From: Jeffrey Walton Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! To: "Maciej Gojny" Cc: full-disclosure@lists.grok.org.uk Date: Saturday, December 18, 2010, 5:53 PM On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny wrote: > hello full disclosure! > > After six months from the first contact with Adobe security team, important > adobe.com subdomain is still vulnerable to SQL injection attacks. We hope > that this time, serious people will try to solve the problem. There's a reason Adobe is the most attacked software [1,2], and its probably because they write the most vulnerable software (or adversaries are looking for a challenge, which seems less intuitive and highly unlikely to me). It appears "insecurity" is an enterprise wide practice, and not just limited to their software. Jeff [1] "Adobe surpasses Microsoft as favorite hacker’s target" (Jul 2009) http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [2] "Adobe predicted as top 2010 hacker target" (Dec 2009) http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny wrote: > hello full disclosure! > > After six months from the first contact with Adobe security team, important > adobe.com subdomain is still vulnerable to SQL injection attacks. We hope > that this time, serious people will try to solve the problem. There's a reason Adobe is the most attacked software [1,2], and its probably because they write the most vulnerable software (or adversaries are looking for a challenge, which seems less intuitive and highly unlikely to me). It appears "insecurity" is an enterprise wide practice, and not just limited to their software. Jeff [1] "Adobe surpasses Microsoft as favorite hacker’s target" (Jul 2009) http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [2] "Adobe predicted as top 2010 hacker target" (Dec 2009) http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] adobe.com important subdomain SQL injection again!
hello full disclosure! After six months from the first contact with Adobe security team, important adobe.com subdomain is still vulnerable to SQL injection attacks. We hope that this time, serious people will try to solve the problem. proof: http://blog.ariko-security.com/ regards, Ariko-Security TEAM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/